Table of Contents
Advertisement
IP Camera Hardening and Cybersecurity Guide | Secure Configuration and Operation
Defense in Depth
Defense in Depth refers to a layered security approach, where no single measure alone is responsible for the security of a
product, but there are multiple layers that an attacker needs to breach to exploit a product. At each release of a product, it
is evaluated if new features are needed to mitigate new attacks or to increase overall security of the product.
Here is an overview of the main security functions of the IP camera.
Firmware protection
3.1.1
Firmware Signing
Each firmware update file is encrypted and signed by a Bosch certificate. Only updates published by Bosch can be
installed on the cameras, avoiding installation of malicious firmware.
3.1.2
Secure Boot
Cameras of platforms CPP13, CPP14 or newer, feature a Secure Boot mechanism. Secure Boot checks the integrity of the
whole system, starting with the bootloader and continuing with the firmware itself on the cameras, each step of the boot
process is verifying the next, starting with an unchangeable hardware root of trust. This prevents an attacker to modify
bootloader or firmware on the device.
Authentication & Access Control
3.2.1
User Authentication
Bosch IP cameras support different methods of authentication. Pre-configured is password-based authentication with three
different roles that can be assigned to a user. Optional certificate-based authentication or ADFS integration into an active
directory is supported. For more information see our Data Security Guidebook.
3.2.2
Password Policy
No default passwords are set for the camera, when first connecting to the device a new administrator password must be
set following strict password complexity rules.
3.2.3
Login Firewall
To protect against password brute forcing but at the same time allowing administrators to login and to protect against
Denial of Service (DoS) attacks, the login firewall checks login attempts based on behavioral analysis and dynamically
blocks or allows access based on IP addresses.
3.2.4
Camera Authentication
To uniquely identify and authenticate a camera, a Bosch device certificate is created on each camera during production.
This certificate can be used to check whether communicating with a genuine Bosch device. Also, custom certificates can
be uploaded or created on the camera to provide integration with a PKI environment to protect against man-in-the-middle
attacks.
Data subject to change without notice | August 22
8 | 14
Security Systems / Video Systems
Advertisement
Table of Contents
